Linux-Noob Forums
mechtn's firewall script - Printable Version

+- Linux-Noob Forums (https://www.linux-noob.com/forums)
+-- Forum: Linux Server Administration (https://www.linux-noob.com/forums/forum-8.html)
+--- Forum: Security and Firewalls (https://www.linux-noob.com/forums/forum-87.html)
+--- Thread: mechtn's firewall script (/thread-2579.html)



mechtn's firewall script - mechtn - 2005-06-27


Here is my iptables firewall script. I'm currently in the process of learning iptables and this is where i'm keeping my most recent and update to date working version. I plan on keeping the script well documented for other noobs like myself so try it out if your looking to get into iptables.

 

Iptables 1.2.11

Gentoo 2.6.11 r11

 

firewall.sh

------------------------------

 

#!/bin/sh

 

# Define variables with location to iptables

IPTABLES=/sbin/iptables

 

# Define external and internal interface

EXTIF="eth1"

INTIF="eth0"

 

# Enabling ip fowarding and dynamicaddr

echo "1" > /proc/sys/net/ipv4/ip_forward

echo "1" > /proc/sys/net/ipv4/ip_dynaddr

 

# Clearing any existing rules and setting default policy

$IPTABLES -P INPUT DROP

$IPTABLES -F INPUT

$IPTABLES -P OUTPUT ACCEPT

$IPTABLES -F OUTPUT

$IPTABLES -P FORWARD DROP

$IPTABLES -F FORWARD

$IPTABLES -t nat -F

 

# FOWARD

$IPTABLES -A FORWARD -i $EXTIF -o $INTIF -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A FORWARD -p tcp -m multiport --dports 21,25,80,110,1723,3389,3450,3500,6881 -j ACCEPT

$IPTABLES -A FORWARD -p tcp --dport 3389:3500 -i $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -p tcp -d 10.10.23.95 --dport 1723 -j ACCEPT

$IPTABLES -A FORWARD -p udp -d 10.10.23.80 --dport 6881 -j ACCEPT

$IPTABLES -A FORWARD -i $INTIF -o $EXTIF -j ACCEPT

$IPTABLES -A FORWARD -i eth0 -d 10.10.24.0/24 -j ACCEPT

 

$IPTABLES -A INPUT -p icmp --icmp-type echo-request -j ACCEPT

 

# VPN

$IPTABLES -A FORWARD -i $EXTIF -p 47 -d 10.10.23.95 -j ACCEPT

$IPTABLES -A FORWARD -i $EXTIF -p tcp -d 10.10.23.95 --dport 1723 -j ACCEPT

 

$IPTABLES -A FORWARD -j LOG

 

#INPUT

# Accept all traffic from internal network

$IPTABLES -A INPUT -i $INTIF -j ACCEPT

$IPTABLES -A INPUT -i lo -j ACCEPT

$IPTABLES -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

$IPTABLES -A INPUT -i eth0 -d 10.10.24.0/24 -j ACCEPT

 

#VPN

$IPTABLES -A INPUT -p 47 -j ACCEPT

$IPTABLES -A INPUT -p tcp --dport 1723 -j ACCEPT

 

#Example Allow tcp for a single port

$IPTABLES -A INPUT -i $EXTIF -p tcp --dport 22 -j ACCEPT

$IPTABLES -A INPUT -i $INTIF -p tcp --dport 53 -j ACCEPT

$IPTABLES -A FORWARD -p tcp -d 10.10.23.48 --dport 5631 -j ACCEPT

$IPTABLES -A FORWARD -p udp -d 10.10.23.48 --dport 5632 -j ACCEPT

 

# PREROUTING

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 21 -j DNAT --to 10.10.23.3:21

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 5631 -j DNAT --to 10.10.23.48:5631

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 5632 -j DNAT --to 10.10.23.48:5632

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 25 -j DNAT --to 10.10.23.3:25

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 80 -j DNAT --to 10.10.23.95:80

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 110 -j DNAT --to 10.10.23.95:110

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 6881 -j DNAT --to 10.10.23.80:6881

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p udp --dport 6881 -j DNAT --to 10.10.23.80:6881

 

# RDP (open ports: 3399, 3405, 3410, 3423, 3430, 3448)

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3389 -j DNAT --to 10.10.23.95:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3390 -j DNAT --to 10.10.23.98:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3391 -j DNAT --to 10.10.23.80:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3392 -j DNAT --to 10.10.23.166:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3393 -j DNAT --to 10.10.23.159:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3394 -j DNAT --to 10.10.23.16:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3395 -j DNAT --to 10.10.23.88:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3396 -j DNAT --to 10.10.23.40:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3397 -j DNAT --to 10.10.23.97:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3398 -j DNAT --to 10.10.23.23:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3400 -j DNAT --to 10.10.23.146:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3401 -j DNAT --to 10.10.23.66:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3402 -j DNAT --to 10.10.23.121:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3403 -j DNAT --to 10.10.23.20:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3404 -j DNAT --to 10.10.23.120:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3406 -j DNAT --to 10.10.23.191:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3407 -j DNAT --to 10.10.23.180:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3408 -j DNAT --to 10.10.23.71:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3409 -j DNAT --to 10.10.23.45:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3411 -j DNAT --to 10.10.23.116:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3412 -j DNAT --to 10.10.23.101:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3413 -j DNAT --to 10.10.23.165:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3414 -j DNAT --to 10.10.23.43:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3415 -j DNAT --to 10.10.23.181:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3416 -j DNAT --to 10.10.23.143:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3417 -j DNAT --to 10.10.23.209:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3418 -j DNAT --to 10.10.23.85:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3419 -j DNAT --to 10.10.23.73:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3420 -j DNAT --to 10.10.23.129:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3421 -j DNAT --to 10.10.23.140:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3422 -j DNAT --to 10.10.23.172:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3423 -j DNAT --to 10.10.24.155:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3424 -j DNAT --to 10.10.24.155:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3425 -j DNAT --to 10.10.23.29:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3426 -j DNAT --to 10.10.23.158:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3427 -j DNAT --to 10.10.23.117:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3428 -j DNAT --to 10.10.23.207:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3429 -j DNAT --to 10.10.23.142:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3431 -j DNAT --to 10.10.23.122:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3432 -j DNAT --to 10.10.23.86:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3433 -j DNAT --to 10.10.23.134:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3434 -j DNAT --to 10.10.23.137:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3435 -j DNAT --to 10.10.23.149:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3436 -j DNAT --to 10.10.23.126:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3437 -j DNAT --to 10.10.23.57:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3438 -j DNAT --to 10.10.23.227:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3439 -j DNAT --to 10.10.23.34:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3440 -j DNAT --to 10.10.23.234:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3441 -j DNAT --to 10.10.24.99:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3442 -j DNAT --to 10.10.23.125:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3443 -j DNAT --to 10.10.23.189:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3444 -j DNAT --to 10.10.23.161:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3445 -j DNAT --to 10.10.23.202:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3446 -j DNAT --to 10.10.23.53:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3447 -j DNAT --to 10.10.23.182:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3449 -j DNAT --to 10.10.23.116:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3450 -j DNAT --to 10.10.23.114:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3451 -j DNAT --to 10.10.24.157:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3452 -j DNAT --to 10.10.23.65:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3453 -j DNAT --to 10.10.23.70:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3454 -j DNAT --to 10.10.23.220:3389

$IPTABLES -t nat -A PREROUTING -i $EXTIF -p tcp --dport 3500 -j DNAT --to 10.10.23.22:3389

 

# VPN

$IPTABLES -t nat -A PREROUTING -p tcp -i $EXTIF --dport 1723 -j DNAT --to 10.10.23.95:1723

$IPTABLES -t nat -A PREROUTING -p 47 -i $EXTIF -j DNAT --to 10.10.23.95

 

 

 

#$IPTABLES -t nat -A PREROUTING -p tcp -d 64.247.238.178 --dport 80 -j DNAT --to-destination 10.10.23.95

#$IPTABLES -t nat -A POSTROUTING -p tcp -d 10.10.23.1 -j SNAT --to-source 10.10.23.95:80

#$IPTABLES -t nat -A OUTPUT --dst 64.247.238.178 -p tcp --dport 80 -j DNAT --to-destination 10.10.23.95

#$IPTABLES -t nat -A PREROUTING --dst 64.247.238.178 -p tcp --dport 80 -j DNAT --to-destination 10.10.23.95

#$IPTABLES -t nat -A POSTROUTING -p tcp --dst 10.10.23.95 --dport 80 -j SNAT --to-source 10.10.23.1

 

 

# POSTROUTING

$IPTABLES -t nat -A POSTROUTING -o $EXTIF -j MASQUERADE

 

------------------------------

 

 

If you have any questions, you can find me on #linux-noob on efnet as mechtn or just leave me a reply here. More documentation to come soon!




mechtn's firewall script - mechtn - 2005-06-27

.....



mechtn's firewall script - mechtn - 2005-06-27

.....



mechtn's firewall script - anyweb - 2005-06-29


dude

 

what distro etc ?

 

more details, any errors ? what is/is not working ?

 

also, what exactly are you trying to do

 

cheers

 

anyweb




mechtn's firewall script - mechtn - 2005-10-04


# Generated by iptables-save v1.2.11 on Tue Oct 4 11:38:00 2005

*nat

:PREROUTING ACCEPT [4580542:426250850]

:POSTROUTING ACCEPT [282533:27972284]

:OUTPUT ACCEPT [9248:700140]

-A PREROUTING -i eth1 -p tcp -m tcp --dport 21 -j DNAT --to-destination 10.10.23.3:21

-A PREROUTING -i eth1 -p tcp -m tcp --dport 5631 -j DNAT --to-destination 10.10.23.48:5631

-A PREROUTING -i eth1 -p udp -m udp --dport 5632 -j DNAT --to-destination 10.10.23.48:5632

-A PREROUTING -i eth1 -p tcp -m tcp --dport 25 -j DNAT --to-destination 10.10.23.3:25

-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j DNAT --to-destination 10.10.23.95:80

-A PREROUTING -i eth1 -p tcp -m tcp --dport 110 -j DNAT --to-destination 10.10.23.95:110

-A PREROUTING -i eth1 -p tcp -m tcp --dport 6881 -j DNAT --to-destination 10.10.23.80:6881

-A PREROUTING -i eth1 -p udp -m udp --dport 6881 -j DNAT --to-destination 10.10.23.80:6881

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3389 -j DNAT --to-destination 10.10.23.95:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3390 -j DNAT --to-destination 10.10.23.98:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3391 -j DNAT --to-destination 10.10.23.80:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3392 -j DNAT --to-destination 10.10.23.166:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3393 -j DNAT --to-destination 10.10.23.159:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3394 -j DNAT --to-destination 10.10.23.16:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3395 -j DNAT --to-destination 10.10.23.88:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3396 -j DNAT --to-destination 10.10.23.40:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3397 -j DNAT --to-destination 10.10.23.97:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3398 -j DNAT --to-destination 10.10.23.23:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3400 -j DNAT --to-destination 10.10.23.146:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3401 -j DNAT --to-destination 10.10.23.66:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3402 -j DNAT --to-destination 10.10.23.121:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3403 -j DNAT --to-destination 10.10.23.20:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3404 -j DNAT --to-destination 10.10.23.120:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3406 -j DNAT --to-destination 10.10.23.191:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3407 -j DNAT --to-destination 10.10.23.180:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3408 -j DNAT --to-destination 10.10.23.71:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3409 -j DNAT --to-destination 10.10.23.45:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3411 -j DNAT --to-destination 10.10.23.116:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3412 -j DNAT --to-destination 10.10.23.101:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3413 -j DNAT --to-destination 10.10.23.165:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3414 -j DNAT --to-destination 10.10.23.43:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3415 -j DNAT --to-destination 10.10.23.181:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3416 -j DNAT --to-destination 10.10.23.143:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3417 -j DNAT --to-destination 10.10.23.209:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3418 -j DNAT --to-destination 10.10.23.85:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3419 -j DNAT --to-destination 10.10.23.73:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3420 -j DNAT --to-destination 10.10.23.129:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3421 -j DNAT --to-destination 10.10.23.140:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3422 -j DNAT --to-destination 10.10.23.172:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3423 -j DNAT --to-destination 10.10.24.155:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3424 -j DNAT --to-destination 10.10.24.155:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3425 -j DNAT --to-destination 10.10.23.29:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3426 -j DNAT --to-destination 10.10.23.158:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3427 -j DNAT --to-destination 10.10.23.117:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3428 -j DNAT --to-destination 10.10.23.207:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3429 -j DNAT --to-destination 10.10.23.142:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3431 -j DNAT --to-destination 10.10.23.122:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3432 -j DNAT --to-destination 10.10.23.86:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3433 -j DNAT --to-destination 10.10.23.134:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3434 -j DNAT --to-destination 10.10.23.137:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3435 -j DNAT --to-destination 10.10.23.149:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3436 -j DNAT --to-destination 10.10.23.126:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3437 -j DNAT --to-destination 10.10.23.57:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3438 -j DNAT --to-destination 10.10.23.227:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3439 -j DNAT --to-destination 10.10.23.34:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3440 -j DNAT --to-destination 10.10.23.234:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3441 -j DNAT --to-destination 10.10.24.99:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3442 -j DNAT --to-destination 10.10.23.125:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3443 -j DNAT --to-destination 10.10.23.189:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3444 -j DNAT --to-destination 10.10.23.161:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3445 -j DNAT --to-destination 10.10.23.202:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3446 -j DNAT --to-destination 10.10.23.53:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3447 -j DNAT --to-destination 10.10.23.182:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3449 -j DNAT --to-destination 10.10.23.116:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3450 -j DNAT --to-destination 10.10.23.114:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3451 -j DNAT --to-destination 10.10.24.157:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3452 -j DNAT --to-destination 10.10.23.65:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3453 -j DNAT --to-destination 10.10.23.70:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3454 -j DNAT --to-destination 10.10.23.220:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 3500 -j DNAT --to-destination 10.10.23.22:3389

-A PREROUTING -i eth1 -p tcp -m tcp --dport 1723 -j DNAT --to-destination 10.10.23.95:1723

-A PREROUTING -i eth1 -p gre -j DNAT --to-destination 10.10.23.95

-A POSTROUTING -o eth1 -j MASQUERADE

COMMIT

# Completed on Tue Oct 4 11:38:00 2005

# Generated by iptables-save v1.2.11 on Tue Oct 4 11:38:00 2005

*mangle

:PREROUTING ACCEPT [109072319:61314970621]

:INPUT ACCEPT [6816859:842823101]

:FORWARD ACCEPT [102406854:60502331385]

:OUTPUT ACCEPT [5668140:665317946]

:POSTROUTING ACCEPT [107990157:61163410755]

COMMIT

# Completed on Tue Oct 4 11:38:00 2005

# Generated by iptables-save v1.2.11 on Tue Oct 4 11:38:00 2005

*filter

:INPUT DROP [29:1564]

:FORWARD DROP [0:0]

:OUTPUT ACCEPT [2827:355089]

:bad_packets - [0:0]

:bad_tcp_packets - [0:0]

:icmp_packets - [0:0]

:tcp_inbound - [0:0]

:tcp_outbound - [0:0]

:udp_inbound - [0:0]

:udp_outbound - [0:0]

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

-A INPUT -i eth0 -j ACCEPT

-A INPUT -i lo -j ACCEPT

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

-A INPUT -d 10.10.24.0/255.255.255.0 -i eth0 -j ACCEPT

-A INPUT -p gre -j ACCEPT

-A INPUT -p tcp -m tcp --dport 1723 -j ACCEPT

-A INPUT -i eth1 -p tcp -m tcp --dport 22 -j ACCEPT

-A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT

-A FORWARD -i eth1 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT

-A FORWARD -p tcp -m multiport --dports 21,25,80,110,1723,3389,3450,3500,6881 -j ACCEPT

-A FORWARD -i eth1 -p tcp -m tcp --dport 3389:3500 -j ACCEPT

-A FORWARD -d 10.10.23.95 -p tcp -m tcp --dport 1723 -j ACCEPT

-A FORWARD -d 10.10.23.80 -p udp -m udp --dport 6881 -j ACCEPT

-A FORWARD -i eth0 -o eth1 -j ACCEPT

-A FORWARD -d 10.10.24.0/255.255.255.0 -i eth0 -j ACCEPT

-A FORWARD -d 10.10.23.95 -i eth1 -p gre -j ACCEPT

-A FORWARD -d 10.10.23.95 -i eth1 -p tcp -m tcp --dport 1723 -j ACCEPT

-A FORWARD -j LOG

-A FORWARD -d 10.10.23.48 -p tcp -m tcp --dport 5631 -j ACCEPT

-A FORWARD -d 10.10.23.48 -p udp -m udp --dport 5632 -j ACCEPT

-A bad_packets -s 10.10.23.0/255.255.255.0 -i eth1 -j LOG --log-prefix "Illegal source: "

-A bad_packets -s 10.10.23.0/255.255.255.0 -i eth1 -j DROP

-A bad_packets -m state --state INVALID -j LOG --log-prefix "Invalid packet: "

-A bad_packets -m state --state INVALID -j DROP

-A bad_packets -p tcp -j bad_tcp_packets

-A bad_packets -j RETURN

-A bad_tcp_packets -i eth0 -p tcp -j RETURN

-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j LOG --log-prefix "New not syn: "

-A bad_tcp_packets -p tcp -m tcp ! --tcp-flags SYN,RST,ACK SYN -m state --state NEW -j DROP

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j LOG --log-prefix "Stealth scan: "

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j LOG --log-prefix "Stealth scan: "

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,PSH,ACK,URG -j DROP

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j LOG --log-prefix "Stealth scan: "

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,PSH,URG -j DROP

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j LOG --log-prefix "Stealth scan: "

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG FIN,SYN,RST,ACK,URG -j DROP

-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j LOG --log-prefix "Stealth scan: "

-A bad_tcp_packets -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j LOG --log-prefix "Stealth scan: "

-A bad_tcp_packets -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP

-A bad_tcp_packets -p tcp -j RETURN

-A icmp_packets -p icmp -f -j LOG --log-prefix "ICMP Fragment: "

-A icmp_packets -p icmp -f -j DROP

-A icmp_packets -p icmp -m icmp --icmp-type 8 -j DROP

-A icmp_packets -p icmp -m icmp --icmp-type 11 -j ACCEPT

-A icmp_packets -p icmp -j RETURN

-A tcp_inbound -p tcp -m tcp --dport 113 -j REJECT --reject-with icmp-port-unreachable

-A tcp_inbound -p tcp -m tcp --dport 25 -j ACCEPT

-A tcp_inbound -p tcp -m tcp --dport 110 -j ACCEPT

-A tcp_inbound -p tcp -m tcp --dport 143 -j ACCEPT

-A tcp_inbound -p tcp -m tcp --dport 22 -j ACCEPT

-A tcp_inbound -p tcp -j RETURN

-A tcp_outbound -p tcp -j ACCEPT

-A udp_inbound -p udp -m udp --dport 137 -j DROP

-A udp_inbound -p udp -m udp --dport 138 -j DROP

-A udp_inbound -p udp -m udp --dport 113 -j REJECT --reject-with icmp-port-unreachable

-A udp_inbound -p udp -m udp --sport 67 --dport 68 -j ACCEPT

-A udp_inbound -p udp -j RETURN

-A udp_outbound -p udp -j ACCEPT

COMMIT

# Completed on Tue Oct 4 11:38:00 2005




mechtn's firewall script - asbani - 2005-10-10

He probably wanted to prove his iptables security, and share it with people to secure their servers? I'm not sure tho.